McAfee: ‘App Collusion’ Latest Mobile Security Risk

Out-of-date versions of common mobile applications could be commandeered by cyber-criminals to steal information, carry out illicit financial transactions and misuse services, according to a new study from Intel’s McAfee Labs, which also found a continued increase in ransomware attacks and macro malware aimed at enterprises.

The study is the latest to highlight the new and often as-yet undetectable security risks posed by mobile devices, particularly those that haven’t been updated regularly or that have been rooted or jailbroken.

New threat

The lab’s threat report for June 2016 found that more than 5,000 versions of 21 consumer mobile applications could be used in a type of cybercrime it calls mobile app collusion, where software with different capabilities are made to work together to bypass security controls.

“The failure of users to regularly implement essential software updates to these 21 mobile apps raises the possibility that older versions could be commandeered for malicious activity,” McAfee said in a statement.

The apps carry out common functions such as mobile video streaming, health monitoring and travel planning, McAfee said.

App collusion involves the use of one app that has access to restricted information or a restricted service and another that has access outside the device. Ordinarily different applications are isolated using sandboxes that prevent them from communicating with one another, but mobile platforms also include “fully documented ways for apps to communicate with each other across sandbox boundaries,” McAfee stated.

Data theft

The technique can result in the theft of confidential information, the execution of illicit financial transactions or the misuse of services, the firm said.

While app collusion has been considered a theoretical threat for years, McAfee said this was the first time the capability has been identified in particular software, which could be exploited via accidental data leakage or a malicious library or software development kit.

“It should not come as a surprise that adversaries have responded to mobile security efforts with new threats that attempt to hide in plain sight,” stated Vincent Weafer, vice president of the McAfee Labs group.

The lab said it is working on tools to identify and stop such attacks and advised users to download applications only from trusted sources, avoid software with embedded advertising, avoid “jailbroken” or “rooted” mobile devices and keep apps and operating systems up to date.

Ransomware continues to rise

The report also documents the return of a Trojan horse called Pinkslipbot, capable of stealing banking credentials, email passwords and digital certificates, which first emerged in 2007 but has reappeared since late last year including new features designed to make it harder to detect and reverse-engineer.

McAfee found that new ransomware samples rose sharply by 24 percent in the first quarter of this year, as relatively low-skilled criminals began using this type of malware, generally via exploit kits which automate the exploitation of software vulnerabilities.

New mobile malware samples rose by 17 percent quarter-over-quarter in the first quarter, and has grown 113 percent over the past four quarters, McAfee found.

Macro malware increased by 42 percent quarter-over-quarter, continuing the trajectory that began last year for this new threat, which is often used to attack enterprises via sophisticated spam messages that use information gathered through social engineering, McAfee said.

Mac OS malware also rose sharply by 68 percent in the first quarter, mainly due to an increase in a type of adware called VSearch, but McAfee noted that the total number of Mac OS samples is still low.

A botnet called Gamut became the biggest spam producer in the quarter, growing in volume by nearly 50 percent and generally sending out get-rich-quick or pharmaceuticals emails, the study found.

Are you a security pro? Try our quiz!

RESEARCH: Who will benefit most from the Internet of Things (IoT)?